CVE-2026-45580
Stored XSS in WWBN AVideo Live Plugin
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 29.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-45580 is a stored cross-site scripting (XSS) vulnerability in the WWBN AVideo platform, specifically in the Live plugin's "YouTube-style" view.
The vulnerability occurs because the live transmission's stream key is rendered directly into an HTML class attribute without proper escaping using htmlspecialchars().
An attacker with canStream privileges can submit a crafted stream key containing malicious JavaScript event handlers via the saveLive.php endpoint.
When any visitor, logged in or anonymous, opens the attacker's live page, the injected JavaScript executes in the context of the AVideo platform, potentially allowing the attacker to steal session cookies or perform other malicious actions.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary JavaScript code in the browsers of visitors to the affected live stream page.
Potential impacts include theft of session cookies, which could lead to account takeover, unauthorized actions performed on behalf of the victim, and other malicious activities within the AVideo platform origin.
Since the vulnerability affects both logged-in and anonymous users, it can compromise user data and platform integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the Live plugin's "YouTube-style" view pages for unescaped stream keys that are rendered directly into HTML class attributes. Specifically, look for stream keys containing suspicious characters or event handlers such as 'onmouseover' that could indicate an attempted cross-site scripting (XSS) attack.
To detect exploitation attempts or presence of malicious stream keys, you can search the database or logs for stream keys containing suspicious patterns or event handlers.
- Use SQL queries to find stream keys with suspicious characters, for example: SELECT * FROM live_transmitions WHERE `key` LIKE '%onmouseover%' OR `key` LIKE '%onerror%' OR `key` LIKE '%<script>%';
- Monitor HTTP requests to plugin/Live/saveLive.php for POST data containing suspicious stream keys.
- Use web vulnerability scanners or browser developer tools to inspect the HTML source of live stream pages for unescaped stream keys in class attributes.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply proper escaping of the stream key when rendering it in HTML contexts by using the PHP function htmlspecialchars(). This prevents malicious JavaScript from executing.
Additionally, enforce a character allowlist on the live_transmitions.key field at write time to restrict stream keys to safe characters only.
If possible, update the AVideo platform to a version later than 29.0 where this vulnerability is fixed.
Monitor and audit existing stream keys for suspicious content and remove or sanitize any malicious entries.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.